Hacker News new | past | comments | ask | show | jobs | submit login

Is there any rationale for running docker with sudo (assuing the non uid0 user is in the docker group)? https://github.com/bloomberg/goldpinger/blob/master/Makefile



Not really, but note that adding your user to the docker group is precisely identical to disabling sudo's password authentication for your user (adding users to the docker group gives a free privilege escalation from that user to root).

Now, that said, the Docker client does quite a few things (such as unpacking archives) that you might not want to be done as root. Especially if the client is running on a different machine.


is there any easy way to give each user their own docker runtime? I always thought it would be very useful, this way you can give all of your users the ability to easily run all the software they want.


Yes, but it'd currently require giving root access to your users. Rootless containers[1] is a project I started a while ago, and now (with some patches) you can run Docker (and Kubernetes) as an unprivileged user. There are some caveats, but I'd recommend checking it out.

[1]: https://github.com/rootless-containers



As the other comment indicated, giving someone docker access is equivalent to giving them sudo. A lot of people are unaware of that, so some systems enforce sudo usage to make it clear.


Based on the simplicity of the build it's doing, there's basically no reason to invoke Docker to produce the image at all. You could use a tool like ko[0] to simply build the Go binary and place it on top of a base image (or keep it based on scratch) without requiring privileges at all, using `ko publish`.

[0] https://github.com/google/go-containerregistry/blob/master/c... [1] https://github.com/google/go-containerregistry/blob/master/c...


No, just a common scenario




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: